PHP Melody SQL Injection Vulnerability in Video Edit Module

A remote SQL injection vulnerability has been identified in PHP Melody version 3.0, specifically within the video edit module. This vulnerability allows authenticated attackers to inject malicious SQL commands by exploiting the unvalidated 'vid' parameter. As a result, attackers could execute arbitrary database queries, potentially compromising both the web application and its database management system.

Impact

Exploitation of this vulnerability allows for remote SQL injection, where authenticated attackers can execute arbitrary SQL commands. This could lead to a compromise of the database management system, the web application, and the underlying web server.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'edit-video.php' with a crafted 'vid' parameter that includes SQL injection payloads. This can be done manually or automated with a script that targets the vulnerability.

Remediation

Users are advised to update to the patched version of PHP Melody 3.0, available in their customer account under the 'Download Updates' page.